LFISuite: An Automatic LFI Exploiter & Scanner!

This is a short post about LFISuite, an open source local file inclusion scanner and exploiter that is coded in Python. It supports multiple attack points and also has TOR proxy support. We all know that Local File Inclusion (also known as LFI) is a process of “including” locally present files, through the exploitation of vulnerable inclusion procedures implemented in the application that accepts un-sanitized input.

OWASP states this more clearly as –

Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

Features of LFISuite:

Multi-operating system support – works on Windows, Linux and Mac OS X.

Automatic configuration.

Automatic updates.

Provides 8 different local file inclusion attack modalities:

/proc/self/environ

php://filter

php://input

/proc/self/fd

access log

phpinfo

data://

expect://

Provides another option called Auto-Hack, which scans and exploits the target automatically by trying all the attacks one after the other without user interaction.

TOR proxy support.

Reverse shell for Windows, Linux and Mac OS X.

Post successful detection, LFISuite also presents you with an option of using a reverse shell. On Windows, this is taken care of by utilizing Pentestmonkey’s reverse Bash shell, which can be connected using netcat. In addition to Python, it just needs termcolor and requests additional packages

Featured Post

Kali Linux 2019.1 is the latest Kali Linux release. This is the first 2019 release, which comes after Kali Linux 2018.4, that was made available in the month of October. This new release includes all patches, fixes, updates, and improvements since the last release – Kali Linux 2018.3, including a shiny new Linux kernel versionRead more about UPDATE: Kali Linux 2019.1 Release!